Zenis Ransomware

Zenis Ransomware is a dangerous infection that was released in March 2018. It is not a prevalent infection because there have been reports only from a few victims so far. Nevertheless, it is necessary to point out the main aspects of this intruder, so that you would be able to avoid it in the future. It is very likely that this has been a test run for this program because our researchers have trouble finding working infection samples. That is obviously a good new to you because it means that it should not be hard to remove Zenis Ransomware.

Due to the fact that the infection is not global, it is possible to assume that it is mostly distributed via hacked remote desktop connection servers. This happens when the Remote Desktop Protocol service is not protected, and it gets corrupted by malevolent third parties. This always means that Zenis Ransomware could be distributed manually. That is to say; users do not download in a spam email attachment (as it usually happens with ransomware programs). Instead, cyber criminals are looking for vulnerable systems through the remote desktop connection, and they infect those systems with their malware directly. If that is really the case, you clearly need to safeguard your RDP connection against any type of exploitation.

As far as we know, once the program is installed on a target computer, it should scan the system looking for the files it can encrypt. It will also check whether the launched installer file has the exact filename necessary for the program to work. The original filename of the infection is iis_agent32.exe. Now, if the filename is the one that Zenis Ransomware needs, the program will monitor your registry keys, and it will look for this entry in the Windows Registry: HKEY_CURRENT_USER\SOFTWARE\ZenisSErvice.

Our research team suggests that these scans are security measures induced by the program’s developers. If the original filename has been modified, or if the program cannot locate the necessary registry keys, it does not perform the encryption. So it would seem that if someone were to use the program’s installer file for their own gains, they would not be able to do it. Also, it could be that this is how the developers of Zenis Ransomware try to protect their infection from security analysis. Whichever it might be, the developers have clearly put some thought into it.

Either way, for the most part, when the infection takes place, all the necessary conditions are met, and thus the encryption commences. The ransomware targets a wide range of extensions, including: .txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpeg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, and many others. Looking at the extensions, it is easy to see that Zenis Ransomware can encrypt most of your personal files. Ransomware programs target user’s files, and they often leave out system data because they need the computer to function properly for the ransom payment.

Once the encryption process is complete, Zenis Ransomware also displays a ransom note. The note says that you need to email the developers with a copy of your encrypted files. If they can confirm the authenticity of your files, these people will then contact you with the ransom price and other details. However, computer security experts are vehemently against paying anything to these criminals. In fact, our research shows that it should be possible to restore your files if you were to contact malware researcher Michael Gillespie for the decryption tool. There is no guarantee that it would work, but it is definitely worth a shot.

Now, as far as the manual removal is concerned, it is not that difficult to terminate Zenis Ransomware. You will have to delete all the suspicious files you have launched recently. And then you will have to take care of the Registry entries associated with this infection. On the other hand, if you do not want to deal with it on your own, you can acquire a security tool that will remove Zenis Ransomware from your computer automatically. But when you do that, you have to also ensure that you terminate all the malicious files. It should not be challenging if you use a licensed antispyware tool, but do not hesitate to leave us a comment if you have more questions.